In Security and Trust Engineering our research and development work is mainly focused on: Network & Internet Security, Cloud and SOA-Security (SOA - Service Oriented Architectures) and Security Awareness.

... designed by the team of Prof. Dr. Christoph Meinel

Our Motivation

Creating secure Web Service-based composed applications is challanging due to the complexity of the WS-* specifications and the multitude of security specifications. On a technical layer, security services requires

Plenty of configurations

Strong security knowledge

Complex Security Configurations

Our Solution

The SOA Security Lab is designed as a virtualused testing environment for service-related security concepts. Our platform comprises several layers as shown in Figure 1.

Figure 1. Layers of the SOA Security Lab

Composed applications (provided as Software as a Service) can be created using a visual modeller and are executed in virtual machines (Infrastructure as a Service). Users can integrate external services (e.g. Amazon services), use the cloud platform to execute constom services (Platform as a Service) or compose predefined services (Component as a Service).

Features

1. Visual Creation of Composed Application

Composed applications based on Web Services can be created by modelling the structure of the desired system as shown in Figure 3. In order to secure the system, security requirements such as the protection of exchanged messages, the authentication of users, or the necessary trust relationships can be modelled as well. In addition, this model is verified to ensure a proper transformation to service configuration files and policies.

Figure 3. Modeling of a secure composed application. The services require the authentication of users as well as a confidential exchange of messages.

2. Generation of Security Configurations

The Policy Management performes the transformation of the model to service configuration files and security policies (e.g WS-SecurityPolicy) that can be deployed and enforced at services and frontends used in the composed application. This information is based on security configuration patterns that provide expert knowledge to transform simple security intentions to complex security configurations. The different layers in the transformation process are shown in Figure 4. Additional information about our model-driven approach are provided here.

Figure 4. Model-driven Generation of Configuration Files

Modelling Layer: This layer is the foundation for a pattern-based transformation. System design models are enhanced with security intentions to specify security requirements.

Configuration Files: This is the technical layer which states security requirements in a deployable notation, e.g. WS-SecurityPolicy.

3. Deployment and Execution of Applications

Services, frontends and related metadata are stored in the service repository. On demand a virtual machine is created for the user to execute a modelled use case. The Scenario Management component (see Figure 5) deploys all components and configuration files related to the modelled use case. Finally, each user can eecute, analyse and test composed applications in its own isolated environment.

Figure 5. Deployment of composed applications

4. Monitoring and Analysis of Security Mechanisms

Figure 6. Visualising the structure of exchanged messages

Our platform enables users to gain insight into services and the security modules used to enforce security policies. For each service, the security modules can be visualised. The messages that passed these modules can be inspected as well. Figure 6 shows the visualisation in our platform that depicts a chain of security modules and a service request that passed this chain. The message security protocols and mechanisms used to secure this message are analysed and highlighted.